From patchwork Sun Nov 16 14:07:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4606 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6d04:b0:7b1:439f:bdf with SMTP id e4csp2691525may; Sun, 16 Nov 2025 06:08:11 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUV7+DBfbBd69qdwwf/x+meuPIHmeceL/7nsPg9Z5bkb92yFjAbjI8/C+ziaRVH0bQu+766M12MyMI=@openvpn.net X-Google-Smtp-Source: AGHT+IH/giyytFr56AwgtP/zQYz+wTE9q5kcQ3OmxMC4SravwQT96eaWY9hjLEUFcmwftiYfITdJ X-Received: by 2002:a05:6808:3086:b0:450:b947:1d8d with SMTP id 5614622812f47-450b94727aamr1596668b6e.21.1763302090820; Sun, 16 Nov 2025 06:08:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1763302090; cv=none; d=google.com; s=arc-20240605; b=aIyHL8vR2lNBFXahUDocJO2Z9XfvNfRFapomENoVpVwMAGOxiEOoo4QCVxF6IwaSh4 ypYZbZ/CUO6qyqwdVy4n1knvhAP7aIxw0EzT80nH1de5dKaW/o5p/4HoD2sn40dUK/on x4MZEzwrHBSlsy9EoKIyNyaJl6eR058Vf3fzpCrFSd2zhrpe9dTBLIxyLfF925fQtuhj +A3N+T7M4Fey5SEUfCMq2fduGgpOvBmny2bRFUeiGdnovFmp80GC2oDS1Prihkshf8mO mCV6mgaqN6QLUmMuxJe/mA+5bquPuLKYiArrTmsNEQNzz4lYpBGDw0TKCrvrSS+gLe1S 1Zqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=npmoUfmfD6hElrgpoIjJFV0FH12Gcbfo3qNq0bYh+DU=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=UiuV2gB5BbTfZCooWJHvhKowr2ZL+Ar+16k8/qe8olilepsvNgV8BOrfOJs4V3+De5 yYQYN8csiDy8H9YwAj4GX0VYMH43bWbtvtUtJWrc82ixNm0gAgnhpo+xwbkStxT7TBl8 tFtwjsj60zG1r5yXPItBjGmXISPNrC2RCbY/AJQZXy35Zk0JQLSr9ctm9MjFxI/rsDQ0 hWozmFwM+CE0K5nPjRFuvIqhwHTVjScFlgmlakP/i6G+CCNsxqqownRoxV0cveXSaFR9 69z6uKUjHHz58RfYCXVUi988rBjIvPJ85DNAkUnkmMc5SoIlBx1oW59OAfe9STGbcVKH lrgQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=GUGdPjbB; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=kpexQEEw; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="BvIc/U7R"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-450b2c9fe23si966565b6e.178.2025.11.16.06.08.10 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 16 Nov 2025 06:08:10 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=GUGdPjbB; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=kpexQEEw; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="BvIc/U7R"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=npmoUfmfD6hElrgpoIjJFV0FH12Gcbfo3qNq0bYh+DU=; b=GUGdPjbBCwhGlfiQ7+z2ULWD5T 8ZYky5dJ+WqSZ10q6QjqVQ/vEJKK30T4tJvTzDLNXgoT5TX5UMkVZ9OHd80u2SjpNxTo1Sg/dv6Ll GuI/D/NVCBepRX71YnMKUC62jGYo6nw199yvOMU73fUrgrGOc4ytDSo5tYx2rKTbyJRs=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vKdQF-0000Fs-Sv; Sun, 16 Nov 2025 14:08:08 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vKdQE-0000Fg-P2 for openvpn-devel@lists.sourceforge.net; Sun, 16 Nov 2025 14:08:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=EWmLA9215fos+MGTQbusiRaPiQnoWWnm5vz4k6Sbf0U=; b=kpexQEEwHBgDxxNbaFTdeJ7QiW 8AlpBzytY6M2+Oemo+WwMN4uXRBjNYuBiLJOAiZ3SLldB/PJv0wyyV2tg+N+McrMNVXh7ymXM+0TU my066bA2S5OwITBjZfsIgYgKPaXNYDsnRFyH1bRUrAabAJ4Rahq3FpNchOXZlG/t7ekg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=EWmLA9215fos+MGTQbusiRaPiQnoWWnm5vz4k6Sbf0U=; b=BvIc/U7Rwxzd41N0tklbNTTAv2 jqnjWXqEQMeJihAAFY4m75fugr2giJ4GODJz19eQ1Q8T5YxVJQf8YJNy6AfSSa6PWp/VBNSbaGqA9 lORyQJyH6ckGLXdfN3D+4eJmTBr9VqLgBJNmPboabLsn1Wozor6LwM8I2gkJWpY4/OKY=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vKdQE-00071c-PC for openvpn-devel@lists.sourceforge.net; Sun, 16 Nov 2025 14:08:07 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5AGE7tdL017194 for ; Sun, 16 Nov 2025 15:07:55 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5AGE7tVe017192 for openvpn-devel@lists.sourceforge.net; Sun, 16 Nov 2025 15:07:55 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Sun, 16 Nov 2025 15:07:48 +0100 Message-ID: <20251116140754.17177-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld The casts should be safe, since one is a constant (but got type from sizeof()) and the other is limited by the buffer length. While here make the code in tls_crypt_v2_wrap_client_key as little easier to follow. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vKdQE-00071c-PC Subject: [Openvpn-devel] [PATCH v1] tls_crypt: Avoid some conversion warnings X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1848956253513831470?= X-GMAIL-MSGID: =?utf-8?q?1848956253513831470?= From: Frank Lichtenheld The casts should be safe, since one is a constant (but got type from sizeof()) and the other is limited by the buffer length. While here make the code in tls_crypt_v2_wrap_client_key as little easier to follow. Change-Id: I3f11423834814bab5d653f160fc2326dae4c0e8e Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1379 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1379 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index a808de3..ab719b3 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -205,11 +205,6 @@ return false; } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wconversion" -#endif - bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt) { @@ -246,7 +241,7 @@ CRYPT_ERROR("cipher reset failed"); } if (!cipher_ctx_update(ctx->cipher, BPTR(dst), &outlen, BPTR(src) + TLS_CRYPT_OFF_CT, - BLEN(src) - TLS_CRYPT_OFF_CT)) + BLEN(src) - (int)TLS_CRYPT_OFF_CT)) { CRYPT_ERROR("cipher update failed"); } @@ -381,8 +376,9 @@ msg(M_WARN, "ERROR: could not write tag"); return false; } - uint16_t net_len = htons(sizeof(src_key->keys) + BLEN(src_metadata) + TLS_CRYPT_V2_TAG_SIZE - + sizeof(uint16_t)); + const int data_len = BLEN(src_metadata) + sizeof(src_key->keys) + sizeof(uint16_t); + const int tagged_len = data_len + TLS_CRYPT_TAG_SIZE; + const uint16_t net_len = htons((uint16_t)tagged_len); hmac_ctx_t *hmac_ctx = server_key->hmac; hmac_ctx_reset(hmac_ctx); hmac_ctx_update(hmac_ctx, (void *)&net_len, sizeof(net_len)); @@ -396,8 +392,8 @@ ASSERT(cipher_ctx_reset(cipher_ctx, tag)); /* Overflow check (OpenSSL requires an extra block in the dst buffer) */ - if (buf_forward_capacity(&work) < (sizeof(src_key->keys) + BLEN(src_metadata) + sizeof(net_len) - + cipher_ctx_block_size(cipher_ctx))) + const int padded_len = data_len + cipher_ctx_block_size(cipher_ctx); + if (buf_forward_capacity(&work) < padded_len) { msg(M_WARN, "ERROR: could not crypt: insufficient space in dst"); return false; @@ -418,10 +414,6 @@ return buf_copy(wkc, &work); } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic pop -#endif - static bool tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata, struct buffer wrapped_client_key, struct key_ctx *server_key)